NoScript

By way of Patrick Logan, I see that Douglas Crockford is recommending that Firefox users should be running with the NoScript extension, which enables you to whitelist or blacklist sites trying to run JavaScript code in the page you’re visiting.

I hadn’t tried NoScript before. Wearing my security-minded developer’s hat, I like the idea. It’s a great way to see which scripts are invoked by various websites, and to understand how those sites behave with those scripts enabled or disabled.

Wearing my civilian hat, I’d wonder about the level of effort required to make those kinds of granular decisions. Douglas Crockford observes:

You might think that you would have to spend a lot of time managing the policy, but surprisingly, you don’t.

On the one hand I’m inclined to agree. We’ve seen the same thing with firewalls that do outbound filtering. But on the other hand, NoScript prompts occur much more frequently. Will civilians be willing to deal with that? I’d be curious to know how non-geeks are getting along with NoScript.

I also have a question about NoScript’s default policy. The NoScript.net tagline reads: “NoScript – JavaScript/Java/Flash blocker for a safer Firefox experience!” However, having just installed it, I find it to be a Java/Silverlight blocker and a Flash allower:

I’ve used NoScript for years…I must be missing the prompts you’re talking about. There’s a notification about blocked scripts, but there’s also an option to turn it off which I did early in the game. I have about 30 sites or so (mostly work-related) that are white-listed, and every other site is prevented from using JavaScript. Most of the time it’s not a problem, and if I need JS temporarily, enabling it is just a click away. Almost all of the common browser vulnerabilities out there require JS which brings my exposure to a much more manageable level.

I have also used NoScript since its early days, but for me the best recommendation came from reading Planet Web Security. (You *are* reading Planet Web Security, aren’t you? http://planet-websecurity.org/ .) The hackers on PWS are the kind of people who find the bugs that result in new point releases of Firefox (and other browsers). They recommend NoScript, and in fact the NoScript author works with some of them to ensure that you are as protected as possible, even in the face of browser bugs. Running NoScript can sometimes protect you from security holes in the browser itself. It’s much more than just site-specific whitelisting.

However, having just installed it, I find it to be a Java/Silverlight blocker and a Flash allower…Just curious: Why?

I suspect Flash has become too common as a content-delivery mechanism to turn off by default. I run one browser with none of the above, and another with all of it on. I never notice the lack of JavaScript, nor Java, nor Silverlight on websites when using my slimmed-down browser. But I often notice the lack of Flash and have to open things my other browser. No one’s really using Java much anymore, nor Silverlight yet, and JavaScript generally degrades gracefully, being used mostly for interface enhancement rather than content delivery. But if you want to watch a video on many sites (notably YouTube), Flash is the only option.

Good. Now developers and support people have to worry about one more variant. Since when JavaScript became malicious? If you could elaborate please… Yeah, page can get annoying and would automatically drive out visitors… but malicious? That’s different. If you are reffering to “malicious” as in “cooikies are malicious” then you are just firing off wrong alarms and adding lot of cost to lot of development shops and support people and waste of time on part of consumers.

engtech / Shital Shah: the most important thing you are protecting yourself against is security bugs in the web applications that you use. A huge number of applications have either XSS or CSRF holes in them (definitions on Wikipedia) and such sites are open to a wide range of malicious attacks. Using NoScript means that even if a site you use has a security hole attackers will find it much harder to use it to exploit your acconut.

“Would you say that strategy is equivalent to whitelisting those 30 sites in IE by placing them in the trusted zone?”

Certainly not. For one thing, anything in an IE Trusted Zone has very liberal access to what can be installed on your machine. Especially neferious ActiveX controls.

Additionally, it’s very easy to use NoScript to temporarily permit a site, but the next time you start your browser, it’s banned again. This is good for single-use instances but you don’t want to give carte blanch access for the site. On the other hand, adding a site to the Trusted Zone requires explicit revocation of those permissions, even if you only wanted to hit a one-off page.

Also, to also address the issue of “with so much AJAX out there, how can you survive without JS?”, it’s not all that hard. Good web developers plan for graceful degredation. The bad ones tend to make sites that are dysfunctional without it. Bad sites aren’t usually worth visiting. The small intersection wherein lie “good sites that are break without JS” are the handful that are in my whitelist. These include annoying bits of work-related sites, banking, Gmail, etc. where I’ve evaluated the risk and decided that it’s worth giving this site permission to run arbitrary JS code on my machine.

@Shital: this is nothing like “OMG cookies are malicious”. This is like “there’s a bug in QuickTime that allows remote sites to execute arbitrary applications on MY machine with no warning… unless you’re running NoScript.” (NoScript users were protected even on whitelisted sites.) Details here: http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox (The bug has since been corrected. Make sure you’re up to date on everything.)